Computer Law & Security Report Vol. 16 no. 3 2000ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

166

Data Protection — Australia

This article outlines the most recent developments in Australia in respect of data protection legislation. TheFederal Government has reversed an earlier decision not to legislate to extend data protection to the privatesector.The draft provisions of the proposed Bill have now been released and are briefly discussed.

DATA PROTECTION — AUSTRALIA TAKING IT SERIOUSLY: AUSTRALIA’S NEW COMMITMENT TO DATA PROTECTION Professor Margaret Jackson

INTRODUCTION Over the last few years, the Federal Government has waveredabout whether or not to introduce data protection legislationto cover the private sector. It is necessary to briefly describethe operation of the current Federal data protection schemein Australia to provide the context for the new developmentsthat have occurred since 1996. The Privacy Act 1988 (Cth)applies only to Federal Government agencies and to the pri-vate sector in respect of tax file numbers. A 1989 amendmentto the Act extended its operation to the private sector tocover the information handling activities of credit reportingagencies and credit providers.This means that state and terri-tory public sectors, with the exception of the AustralianCapital Territory,1 are not covered by the Act and neither isthe private sector.

Since 1998, a number of government reports had calledfor the extension of the Privacy Act to the private sector, par-ticularly as government organizations, such as those con-cerned with mail services and communications, had beeneither fully or partially privatized and had moved outside theambit of the Act.2 In September 1996, the Federal Attorney-General proposed that amendments would be made to thePrivacy Act to extend its operation to all individuals and orga-nizations in Australia, including Federal Government businessenterprises, such as Telstra Corporation and the AustralianPostal Corporation. However, in March 1997, the PrimeMinister announced that his Government had decided not toenact privacy legislation for the private sector.The stated rea-son for this decision was that compliance with the legislationwould place unacceptable financial burdens on Australianbusinesses. Instead, the Federal Privacy Commissioner wasrequested to develop a process for voluntary codes of con-duct for the private sector.

NATIONAL PRINCIPLES FOR THE FAIRHANDLING OF PERSONAL DATA After extensive consultation with industry, the PrivacyCommissioner released the National Principles for the FairHandling of Personal Data in February 1998. They wererevised in January 1999.The National Principles differed fromthe Information Privacy Principles (IPPs) contained in the

Privacy Act and applicable to the public sector. While theNational Principles encapsulate the IPPs contained in thePrivacy Act, they include a number of new elements.Theseinclude: the right of individuals to not identify themselveswhen entering transactions;3 restrictions on organizationsusing government assigned identifiers, such as Medicare num-bers;4 a preference that organizations collect personal infor-mation directly from the individual concerned;5 a limitationon the collection of highly sensitive information about indi-viduals;6 and some guidelines on the transfer of informationto third parties.7

The most obvious difference was the language in whichthey were written in that they are voluntary guidelines,expressing expectations of good practice rather than legalrequirements. As well, the Guidelines accompanying theNational Principles were seen as being quite broad. A num-ber of issues were not addressed, including the mechanismsto be put in place for dealing with complaints, complianceand disputes, and whether or not the Principles coveredinformation about employees.8

Generally, the response to the National Principles was notfavourable. Most of the opposition centred, however, aroundtheir lack of enforceability as a voluntary set of principles,and concerns about the potential for a variety of legislativeaction by states and territories to fill the privacy protectionvacuum created by the Government. In fact, two states, NewSouth Wales and Victoria, decided to proceed with their ownlegislative solutions to the privacy concerns of the generalpublic.

SENATE LEGAL AND CONSTITUTIONALREFERENCES COMMITTEE REVIEW OFPRIVACY AND THE PRIVATE SECTOR At the same time that the Federal Government announcedthat it had decided not to legislate to cover the private sec-tor, it also announced it was proposing to outsource the pro-cessing of tax, health, education and welfare records.Increasingly, the operation of government services was beingmoved outside the operation of the Act.To address growingpublic concern, the Government then decided that a limitedextension of the Act would be introduced to cover situations

167

Data Protection — Australia

where government information was outsourced to privatesector organizations.

A Privacy (Amendment) Bill 1998 was drafted andpassed by the House of Representatives on 1 April 1998.The Senate, however, referred the Bill to the Senate Legaland Constitutional References Committee for review. Theterms of reference of the Committee were broader thanjust a review of the draft legislation. It was requested toinvestigate:• The need for the Commonwealth privacy legislation to be

extended to the private sector, [particularly in the light ofinternational and state developments in the area]…;

• The effectiveness of any privacy scheme that does nothave legislatively backed complaints, investigations andenforcement mechanisms;

• The appropriateness of using the National Principles ...as a basis for a co-regulatory regime for the private sectorand the best means of implementing such a scheme;

• The appropriateness of the provisions of the PrivacyAmendment Bill 1998.9

The Committee found evidence of widespread communityconcern over personal privacy rights generally, particularly inthe areas of electronic commerce and the Internet.10 It notedthe expanding body of international law and standards in thearea of data protection and recommended that Australia shouldbe guided by these. It believed that failure to achieve appropri-ate standards of best practice “had the potential to damageAustralia’s trade interests by inhibiting the ability of trade part-ners to exchange information and by limiting the confidenceof the Australian public in emerging technologies”.11

The Committee noted serious deficiencies in the NationalPrinciples, specifically a failure to deal with the rights of datasubjects; granting preference to the operations of certainindustries, such as direct marketing; provision of little limita-tion on the discretion of certain parties; virtually no directionas to the way in which the minimal protections provided inthe Principles would be safeguarded, a failure to consider pri-vacy as a human right; and a bias for the needs of the businesscommunity over the rights of individuals.12 In particular, thePrinciples used wording such as ‘should’ or ‘ought’ in describ-ing what organizations were expected to do, rather thanwords such as ‘will’ and ‘must’.13 This wording reflects, ofcourse, the voluntary nature of the Principles.

Another concern was that the National Principles did notclearly cover employee data, which the European Union hadidentified in its submission to the Senate Committee as animportant part of international data flows.14 The Committeenoted that exclusion of employee data from the coverage of acommon privacy system may result in a situation where anindividual has certain rights as a consumer or purchaser ofservices that are denied to him or her as an employee.15

Those groups opposed to the inclusion of employee data,such as the Australian Chamber of Commerce and Industry,argued that employee records were already covered underworkplace relations legislation, awards and agreements andso it would lead to duplication to include such records undera general privacy regime.16 The Committee recommendedthat more consideration should be given to ‘the relationshipbetween existing laws regulation employer records and pro-posed [privacy] legislation which would seek to coveremployee data’.17 It was particularly concerned that the

workplace relations law did not protect employee data whichis being processed or dealt with overseas.18

Finally, the Committee expressed concern that theNational Principles contained no information about imple-mentation, monitoring or enforcement.19 It noted that therewas no agreed program to develop appropriate enforcementmechanisms at the time of writing the report.20

The Committee considered that the National Principleswere “a very weak and piecemeal approach to the issue ofcollection and protection of data”21 and went on to commentthat, “private sector self-regulatory systems do not, of them-selves, provide an adequate system for privacy protection inAustralia. Without an adequate enforcement mechanism theNational Principles lack force and cannot provide the basisfor a national privacy scheme.”22

In general, the Committee concluded that self-regulation:• fails to guarantee that the content of a self-regulatory

scheme will meet best international practice standards;• fails to guarantee to a level acceptable to the community a

level of compliance with the accepted privacy principles;• cannot guarantee to provide a means for people to exer-

cise and protect their right to privacy, that is, cannot pro-vide an accessible enforcement mechanism; and

• cannot guarantee to provide redress when a privacy rightis breached, by way of specific remedies, sanctions orcompensation.23

Interestingly, given the Prime Minister’s stated reasons in1997 for abandoning privacy legislation for the private sector,the Committee concluded that introduction of comprehen-sive privacy legislation covering the private sector should notnecessarily entail high compliance costs. It noted that theNew Zealand privacy protection scheme had been able tokeep compliance costs to a minimum.24

Finally, the Committee strongly recommended “thereconsideration of a co-regulatory scheme underpinned bynational uniform privacy legislation applicable across allsectors”.25

The Committee’s views on the Privacy Amendment Bill1998 were equally as critical. It concluded “that the objectivesof the Bill are inadequate to meet the wider need for privacyprotection over the private sector in Australia”.26 While it sup-ported the objectives of the Bill to try to overcome the ero-sion of the coverage of the Privacy Act caused by outsourcingof government functions to the private sector, it believed thatthe Bill would only add to the piecemeal approach to privacyprotection in Australia. It was critical, too, of the fact that theInformation Privacy Principles (IPPs) from the Privacy Acthad been used in the Bill rather than the National Principles,although, as noted earlier, the Committee believed theNational Principles were flawed. It strongly recommended arevision of the National Principles, with reference to theEuropean Union Directive on Data Protection.

THE PROPOSED FEDERAL PRIVACYREGIME In December 1998, the Attorney-General and the Minister forCommunications, Information Technology and the Artsannounced that the Federal Government had changed itsmind and that it now proposed to legislate to cover the private sector.

Data Protection — Australia

168

The Attorney-General released an Information Paper titledThe Government’s Proposed Legislation for the Protectionof Privacy in the Private Sector in September 1999. Thispaper outlined the Government’s new intent to introducedata protection legislation that would apply to the privatesector and to government business enterprises. TheGovernment proposal is to amend the Privacy Act but to basethe provisions applying to the private sector on the NationalPrivacy Principles, rather than on the Information PrivacyPrinciples (IPPs) already in the Act which cover the publicsector. The new legislation will act as a ‘default legislationframework’ but businesses would be encouraged to self-regu-late. The proposed approach is described by the Attorney-General as “light touch”.

The Attorney-General’s Information Paper was circulatedwidely for public discussion in September 1999. Over 50 sub-missions were received.Although it had been announced thatthe Bill would be drafted by the end of 1999, the Attorney-General decided to delay the introduction of the Bill untilearly 2000 “in order to provide an opportunity for furtherconsultation on key aspects”.27 On 20 December 1999, theAttorney-General released draft provisions of the proposedPrivacy Amendment (Private Sector) Bill, together withOverview Statements on the Bill itself, the media exemptionand the handling of health information. The NationalPrinciples had been revised and also modified in their appli-cation to personal health information and transborder dataflow.Comments on the draft provisions were requested by 17January 2000 with the legislation introduced into Parliamentby February 2000.

The proposed legislation will apply to all personal infor-mation held by organizations and individuals, operating in abusiness capacity, and to Commonwealth bodies and govern-ment business enterprises that are not, because of their com-mercial nature, covered by the existing public sectorapplication of the Privacy Act. It will not apply to State orTerritory public sector agencies.

Under the draft provisions, the acts and practices of ‘orga-nizations’ in relation to the collection,use,disclosure and stor-age of personal information are covered. Clause 19 defines an‘organization’ to include an individual, a body corporate, apartnership, any other unincorporated association and atrust.The collection of personal information by one body cor-porate from a related body corporate is specifically permit-ted, as is the disclosure of information by one related bodycorporate to another.28

An organization is permitted to develop its own privacycode that must be approved by the privacy commissioner.Such a code must provide the same or greater privacy protec-tion as the National Principles. Under the new scheme, thoseindustry groups which had developed privacy codes in accor-dance with the voluntary National Principles and those whichdevelop them under the proposed legislation will be able toset up their own complaint handling scheme with their owncode complaint body.These privacy codes can be developedto apply to members of an industry body, a specific industrysector, a type of activity, such as direct marketing, to one orga-nization,or to types of information,such as health information.

There are four specific exemptions. First, the draft provi-sions exempt any acts or practices done by an organization “inthe course of journalism”.29 Second, personal information col-

lected by individuals for the purposes of or in connection withpersonal, family or household affairs is exempt.30Third,person-al information collected by a business with an annual turnoverof US$1 000 000 or less is also exempt.31 Finally, employeerecords are exempt.As noted earlier, this exemption had beencriticized by the Senate Legal and Constitutional ReferencesCommittee. It considered that, in this regard, the NationalPrinciples failed to meet the higher standard set by theEuropean Union Data Protection Directive, which does coversuch data.32 A substantial proportion of the personal informa-tion held by the private sector is employee data and its exclu-sion does impact on the rights of an important group ofstakeholders in the information privacy process.

An important amendment to the National Principles istheir application to relation to the collection, use and disclo-sure of health information, now a category of sensitive infor-mation. Principle 10.1 in the Draft Provisions states thatsensitive information about an individual may not be collect-ed unless certain circumstances are satisfied:• The individual concerned has consented;• The collection is required or authorized by or under law;* The collection is necessary to prevent or lessen a serious

or imminent threat to the life or health of any individualwho is unable to consent;

• The information is collected in the course of the activitiesof a non-profit organization; and

• The information is necessary for the establishment, exer-cise or defence of a legal or equitable claim.Principles 10.2 and 10.3 go on, however, to provide fur-

ther circumstances in which an organization can collecthealth information.These circumstances allow collection forthe purpose of providing a health service to an individual,and for research or the compilation and analysis of statisticsrelevant to community welfare if there is no other way to col-lect the information, it is not possible to seek the individual’sconsent and the information is collected according to thePrivacy Commissioner’s medical research guidelines or inaccordance with appropriate medical ethics guidelines. Theuse and disclosure of the health information permitted to becollected in Principle 10 is covered by Principle 2, using sim-ilar wording and grounds for exemptions.

Principle 2.3 permits the disclosure of an individual’shealth information to his or her immediate family memberswhere such disclosure is necessary to provide appropriatecare or treatment or on compassionate grounds.The individ-ual must be physically or legally incapable of giving or com-municating consent and the disclosure must not be contraryto any prior wish of the individual known to the treatingorganization. Principle 6.1(a) permits access to health infor-mation to an individual unless such access would pose a seri-ous threat to the life or health of any individual.

CONCLUSION

Generally, the draft provisions, which are incomplete, reflectonly moderate changes to the National Principles. Primarily,there has been a revision to incorporate legislative language,the exemption of media information, and the inclusion ofhealth information in their coverage. Only some of the recommendations to improve the National Principles pro-posed by the Senate Legal and Constitutional References

169

Data Protection — Australia

FOOTNOTES1 In July 1994, the Act was also amended to cover public sectoragencies of the Australian Capital Territory, Australian CapitalTerritory Government Service (Consequential Provisions) Act1994 (ACT) s 23, schedule 3.2 See, for example, AUSTEL, Telecommunications Privacy: Finalreport of AUSTEL’s Inquiry into the Privacy Implications ofTelecommunications Services (1992); Australian Law ReformCommission and the Administrative Review Council (ALRC & ARC),Open government: a review of the federal Freedom ofInformation Act 1982 (Cth) (1995); and Commonwealth House ofRepresentatives Standing Committee on Legal and ConstitutionalAffairs, In Confidence:A Report on the Protection of ConfidentialPersonal and Commercial Information held by theCommonwealth (1995).3 National Principles, clause 8.4 Ibid clause 7.5 Ibid clause 1.4.6 Ibid clause 10.7 Ibid clause 9.8 Office of the Privacy Commissioner, National Principles for theFair Handling of Personal Data,Revised edition, January 1999,p.3.9 Senate Legal & Constitutional References Committee, Privacy inthe Private Sector: Inquiring into Privacy Issues, including thePrivacy Amendment Bill 1998, 25 March 1999.10 Ibid, paras 2.10 -15, 2.91.11 Ibid, para 3.92.12 Ibid, para 5.121.

13 Ibid, para 5.80.14 Ibid, para 5.84.15 Ibid, para 3.19.16 Ibid, para 3.15.17 Ibid, para 3.22.18 Ibid, para 5.92.19 Ibid, para 5.122.20 Ibid, para 5.135.21 Ibid, para 5.121.22 Ibid, para 5.140.23 Ibid, para 5.142.24 Ibid, para 8.23.25 Ibid, para 8.48.26Ibid, para 6.71.27 Attorney-General, Overview of Key Provisions:A privacy schemefor the private sector, 20 December 1999, p. 1.28 Clause 22.29 Clause 38.30 Clauses 34-36.31 Clauses 42-45.32 Senate Legal & Constitutional References Committee, Privacy inthe Private Sector: Inquiring into Privacy Issues, including thePrivacy Amendment Bill 1998, 25 March 1999, paras 5.92 & 5.93.33 Graham Greenleaf, ‘Senate Committee condemns the NationalPrivacy Principles’ (1999) 5 Privacy Law & Policy Reporter10, 11.

Committee have been adopted and,disappointingly, there hasbeen no comment or discussion about why many of the rec-ommendations have been ignored.The Attorney-General stat-ed in his overview of the key provisions that Governmentpolicy was settled, implying that the Government was notprepared to review its decision to use the National Principlesas amended in the legislation.There still appears to be a biastowards the needs of organizations rather than towards therights of individuals, particularly in the area of direct market-ing.

It has been suggested that substantial amendments to theNational Principles will only be achieved when the Bill reach-es the Senate, in which the Government does not have amajority.33 Both Democrat and Labor senators have criticized

the National Principles and may be in a position to gain someamendments.

While it can be argued that any national legislation coveringthe private sector is better than none,there would appear to bea need for further consideration of the National Principles andtheir use. In particular, it seems unfortunate that Australia can-not have one standard set of data protection guidelines applic-able to both sectors.The Federal Government has now anotheropportunity to redraft both the Privacy Act IPPs and theNational Principles to achieve a uniform set of IPPs.

MMaarrggaarreett JJaacckkssoonn,, Professor of Computer Law,School of Accounting and Law, RMIT Business, MelbourneE-mail: margaret.jackson@rmit.edu.au